A Blog by Jonathan Low


Aug 30, 2016

I Want To Know What Code Is Running Inside My Body

The laws need to change. But be careful what you wish for. Lots of other people, with potentially unsupportive agendas, also want access to that data. JL

K McGowan reports in Back Channel:

Accessing the code or encrypted data in (a) device could infringe upon the manufacturer’s rights under the Digital Millennium Copyright Act (aka the Napster law). Harvard’s Berkman Center for Internet and Society took up the case for data dissidents. The group won a temporary exemption from the DMCA laws. These projects and ones like them are potentially transformative
At age 33, Marie Moe learned that her heart might fail her at any moment. A computer security expert in Norway, she found out she has a fairly common heart condition that disrupts her normal pulse, so she had to get a pacemaker. The surgery was quick and uncomplicated. Just a few weeks later she was able to travel to London for a course on ethical hacking.
She felt fine, until she was climbing the stairs in Covent Garden, one of the deepest stations in the London Underground. Suddenly, something went very wrong with her heart. “I felt like I was going to die,” she says. “It was a horrible feeling. I had no breath left, I didn’t know what was happening.” Back in Norway, it took her cardiac technicians months to figure out what had happened: The heart rate limits on her pacemaker had been set incorrectly, so that as she exerted herself, the pacemaker’s default safety mode switched on, cutting her heart rate instantaneously from 160 beats per minute to 80.
Why did that happen, and why did it take so long to figure it out? She’s not quite sure, but she obtained her own medical records and saw notes suggesting that the programming device the technicians used to interrogate her pacemaker either had a faulty user interface or a software bug.
She started digging around some more. She found the technical manual for her pacemaker online, and learned that her device had remote monitoring capabilities that worried her. To a computer security professional, wireless communication was just one more way that the device was vulnerable to malicious tinkering.
Then she bought a pacemaker programmer online, and she and other hackers figured out that it could be used to update the code on her implant. She didn’t hack her own device, though — she was mainly alarmed that she’d entrusted her heartbeat to a stranger’s code, which might get updated without her knowledge. “I want to know what code is running inside my body,” she says. “If someone wants to alter that code, I want to make an informed decision.”
Now that her device is properly programmed, her heart is strong; she even ran a half-marathon last year. Moe says she definitely doesn’t want to scare people away from getting a pacemaker if they need it. But she wants changes in how code for all such devices is handled. Right now it is proprietary, with no easy way for it to be tested and explored by security experts. “Medical devices are black boxes,” she says. “You can’t look into them, there’s no transparency, we don’t know how they work.”
Boston attorney and open-source activist Karen Sandler has a similar story: She has a common hereditary condition called hypertrophic cardiac myopathy, and her heart is prone to glitches and arrhythmias that could potentially be fatal. She has an implantable cardioverter defibrillator (ICD), which unlike a pacemaker kicks in only if she needs to be shocked out of an arrhythmia and back to life. Recently, it has mistakenly shocked her twice, including while she was pregnant. Pregnancy can bring on heart rhythm changes that the device interpreted as a dangerous arrhythmia. Like Moe, Sandler wants to be able to explore the code running her device for programming flaws and vulnerability to hacking, but she can’t. “Because I don’t have access to the source code, I have no power to do anything about it,” she says. In her eyes, it’s a particularly obvious example of a problem that now cuts across much of modern life: proprietary software has become crucial to daily survival, and yet is often locked away from public exploration and discussion by copyright.
In fact, accessing the code or encrypted data in the device could infringe upon the manufacturer’s rights under the Digital Millennium Copyright Act (aka the Napster law). So in 2014, the Cyberlaw Clinic at Harvard’s Berkman Center for Internet and Society took up the case for Sandler and three other data dissidents: Hugo Campos, who is waging a public campaign to get direct access to data gathered by his ICD, security consultant Jay Radcliffe, who has probed the vulnerabilities of insulin pumps, and engineer Ben West, a type 1 diabetic who figured out how to modify his glucose monitor and implanted insulin pump to improve his own treatment. (West’s innovation touched off a grassroots DIY movement among parents of diabetic kids.)
In October the group won a temporary exemption from the DMCA laws. These projects and ones like them are potentially transformative, says Andy Sellars, the Cyberlaw Clinic fellow who led the petition. Think about what the West Virginia University researchers did with Volkswagens, he says: “One person can make a big difference in this space.”
Alone among the DMCA Four, Campos is not a techie — he just wants access to all the information collected by his ICD, so that he can identify what might trigger the glitches in his heart. Like Sandler, he also has hypertrophic cardiac myopathy, and he wants to do a comprehensive analysis to see connections between whatever he’s doing (sleeping, drinking coffee, dancing) and episodes of arrhythmia, so that he can avoid these attacks. His ICD continuously tracks his heart and wirelessly beams the information back to the vendor, Medtronic. But when he’s asked Medtronic if he can get the information too, the answer has always been no. Campos is supposed to ask his doctor — but what doctor has time for that kind of analysis?
Instead, he took a training course meant for cardiac technicians, bought himself the same device-interrogation machine they use, and did it himself. (To his dismay, the data showed him that whisky was one trigger, so he stopped drinking it.)
In the process, Campos has been transformed into an activist, advocating for data of all kinds to be more easily available to those who want it. “You’re pulling data from my cardiac device that I paid for, implanted inside my body, the most intimate piece of technology anyone can have, and yet I’m devoid of access to the device? That moved me to my core,” he says. “That’s just not right.”


Post a Comment